Practical Guide: Auto-Generating JD.com H5ST Encryption Parameters with AI + Skills + MCP
Automate JD.com H5ST encryption parameter generation using AI, Skills prompts, and MCP tools.
This guide demonstrates how to combine AI, Skills (structured skill-based prompts), and MCP (Model Context Protocol) tools to automatically reverse engineer and generate JD.com's complex H5ST encryption parameters. Instead of spending hours manually patching browser environments in Node.js, this approach uses Skills to provide AI with a structured reverse engineering workflow and MCP to enable actual code execution and verification, creating a closed-loop automation process.
Introduction: The Challenge of JD.com's H5ST Encryption
In the world of e-commerce data collection, JD.com's H5ST encryption parameter has long been a headache for web scraping developers. This parameter value spans over a thousand characters with a complex structure. Traditional reverse engineering approaches are not only time-consuming but also extremely tedious when it comes to environment patching. This article introduces a new approach that combines AI, Skills (skill-based prompts), and the MCP (Model Context Protocol) toolchain to automatically generate H5ST encryption parameters.
Analyzing JD.com's H5ST Encryption Parameters
Locating Key Request Parameters
By analyzing JD.com search requests using F12 developer tools, you can identify two critical fields in the query parameters: t (a 13-digit timestamp) and h5st (an encrypted signature). When you try removing these two parameters and resending the request, the server returns a 403 error — confirming that these parameters are essential for request validation.
The t parameter is straightforward — it's simply a standard 13-digit millisecond timestamp. The h5st parameter, however, is the real challenge. Its value is extremely long and seemingly random, requiring in-depth analysis to understand its generation logic.
Reverse Engineering the H5ST Generation Logic
By searching for keywords like h5st: and h5st= in the JS code, you can locate where H5ST is assigned. After setting breakpoints and stepping through the code, you'll discover:
- The H5ST value is obtained from the return value of an asynchronous callback
- The core encryption logic resides in the
signmethod of an object called_pdp - This object is mounted on
window.ParamsSign, and callingParamsSign.sign()generates the H5ST
The full call chain is: window.ParamsSign → instantiation → call sign method → returns a Promise object containing the H5ST.
The Dilemma of Traditional Environment Patching
Node.js Environment Gaps
When you copy JD.com's encryption JS code to run locally in Node.js, the first error you'll encounter is window is not defined. This happens because Node.js lacks the browser's window object and its associated APIs.
Limitations of Environment Patching Plugins
Using environment patching plugins can auto-generate a set of simulated browser environment code, but the results are far from ideal. In practice:
- The H5ST generated by the plugin's environment is only 786 characters long
- The real H5ST from the browser exceeds 1,000 characters
- The significant gap indicates incomplete environment patching
Missing environment components include APIs like CredentialEvent, which need to be extracted from the browser and manually added one by one. This process is not only tedious but also error-prone — using traditional methods, it can take hours or even longer to complete.
The Automated Solution: AI + Skills + MCP
Core Concept
Here we propose an entirely new approach: write specialized Skills (skill-based prompts) and pair them with MCP (Model Context Protocol) tools to let AI automatically handle the entire reverse engineering and environment patching workflow.
The key points are:
- It's not about simply asking AI to patch the environment — directly asking AI often leads to an endless cycle of "the more you patch, the messier it gets"
- Skills define a structured analysis workflow — guiding AI to execute step-by-step according to a predefined reverse engineering process
- MCP provides tool-calling capabilities — AI can actually read files, execute code, and verify results
Step-by-Step Walkthrough
Prepare two files in VS Code:
- JS file: Contains JD.com's core encryption code
- Python file: A basic scraping script (with hardcoded request parameters)
Then send a carefully crafted prompt to the AI, instructing it to:
- Analyze the encryption logic in the JS file
- Patch the browser environment needed for Node.js execution
- Replace the static parameters in the Python file with dynamically generated ones
- Ensure the final output correctly obtains the H5ST and makes successful requests
Verifying the Results
The AI follows the workflow defined in the Skills and automatically completes the analysis, ultimately producing:
- A complete, environment-patched JS encryption file
- A Python scraping script with dynamically generated parameters
Running the Python file returns a 200 status code with correct product data. Switching to different pages (page 2, page 3, page 7) all return the corresponding product information successfully, confirming the reliability of the solution.
Why Doesn't Asking AI Directly Work Well?
Many developers have thought of using AI to assist with reverse engineering, but direct questioning often yields poor results:
- Lack of structured workflow: AI doesn't know what order to analyze things in and easily misses critical steps
- Iteration hell: After fixing one environment issue, another pops up — endless iterations that never fully patch the environment
- No verification mechanism: Without MCP tool support, AI can't actually run code to verify results
Skills serve as a complete reverse engineering methodology for the AI, enabling it to work like an experienced reverse engineer, progressing step by step with the right approach. MCP gives AI the ability to actually manipulate files and execute code, creating a closed loop of "analyze → generate → verify → fix."
Conclusion and Reflections
This case study demonstrates a new paradigm for AI-assisted reverse engineering. The key isn't how powerful the AI itself is, but rather how to systematically transfer human reverse engineering expertise to AI through Skills and MCP, enabling it to efficiently execute complex analysis tasks.
For web scraping developers, this means that when facing complex encryption, you no longer need to spend hours manually debugging and patching environments. Instead, you can focus your energy on strategy design and workflow orchestration. Of course, this approach has its boundaries — for scenarios where encryption algorithms are frequently updated, the Skills themselves also need continuous iteration and optimization.
Related articles
Building an AI Stock Analysis System with Qwen3 + Dify: A Hands-On Tutorial
A hands-on guide to building a real-time AI stock analysis system using Dify workflows and Qwen3. Covers deployment, technical indicators (RSI/MACD/Bollinger Bands), and trading strategy generation.
Deep Dive into Cursor Refill Plugins: Pay-Per-Use Billing and Account Pool Scheduling Mechanisms
Deep analysis of Cursor refill plugin architecture: how clean account pool scheduling replaces cracking tools, the business logic of 35% pay-per-use pricing, and compliance risks developers should consider.
Ubisoft Co-Founder Claude Guillemot Dies in Plane Crash at Age 69
Ubisoft co-founder Claude Guillemot has died in a plane crash at age 69. He co-founded Ubisoft with his four brothers, creating iconic IPs like Assassin's Creed and Far Cry.